Kaspersky in Search of Hackers for New Bug Bounty Program

Kaspersky Lab is ready to pay up to $50,000 in bounty rewards to hackers that find security vulnerabilities in its products, thanks to a new bug bounty program launched today in partnership with HackerOne.

Launched to coincide with the Black Hat conference in Las Vegas this week, the program will be run on the software-as-a-service platform from HackerOne, which provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.

“With this program, Kaspersky Lab will not only further bolster its mitigation strategy for addressing inherent software vulnerabilities, but also continue enhancing its relationship with external security researchers,” Kaspersky Lab said in a statement.

After the initial six-month phase is complete, the Kaspersky says it will evaluate the results to determine what additional products and rewards should be included in the second phase of its bounty program.

“Based on the results of this first phase, we will revise our offering in terms of budget, scope of products and types of vulnerabilities covered moving forward,” the company told SecurityWeek.

“Our bug bounty program will help amplify the current internal and external mitigation measures we use to continuously improve the resiliency of our products,” said Nikita Shvetsov, chief technology officer, Kaspersky Lab. “We think it’s time for all security companies, large and small, to work more closely with external security researchers by embracing bug bounty programs as an effective and necessary tool to help keep their products secure and their customers protected.”

While the Moscow-based security firm may now just be launching its bug bounty program, security researchers have already poked holes it its products over the years.

In October 2015, Google researcher Tavis Ormandy, discovered an issue that affected “Network Attack Blocker,” a component in Kaspersky’s software designed to protect devices against dangerous network activity, including port scanning, denial-of-service (DoS), and buffer-overrun attacks.

In December 2015, researchers from enSilo discovered a critical vulnerability found in several security products from multiple vendors that could have been exploited by malicious actors to bypass Windows protection features, data exfiltration. Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products were affected.

Security vulnerabilities in endpoint security software products are not rare, unfortunately, and Kaspersky Lab is not alone when it comes to having issues.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.